Configure the Sinkhole IP Address to a Local Server on Your Network
Where Can I Use
What Do I Need?
Threat Prevention or Threat Prevention License
By default, sinkholing is enabled for all Palo
Alto Networks DNS signatures, and the sinkhole IP address is set
to access a Palo Alto Networks server. Use the instructions in this
section if you want to set the sinkhole IP address to a local server
on your network.
You must obtain both an IPv4 and IPv6 address
to use as the sinkhole IP addresses because malicious software may
perform DNS queries using one or both of these protocols. The DNS
sinkhole address must be in a different zone than the client hosts
to ensure that when an infected host attempts to start a session
with the sinkhole IP address, it will be routed through the firewall.
The sinkhole addresses must be reserved
for this purpose and do not need to be assigned to a physical host.
You can optionally use a honey-pot server as a physical host to
further analyze the malicious traffic.
The configuration steps
that follow use the following example DNS sinkhole addresses:
DNS sinkhole address—10.15.0.20
IPv6 DNS sinkhole address—fd97:3dec:4d27:e37c:5:5:5:5
Configure the sinkhole interface and zone.
Traffic from the zone where the client hosts reside must
route to the zone where the sinkhole IP address is defined, so traffic
will be logged.
Use a dedicated zone
for sinkhole traffic, because the infected host will be sending
traffic to this zone.
and select an interface
to configure as your sinkhole interface.
To add an IPv4 address, select the
and then click
In this example, add 10.15.0.20 as the IPv4 DNS sinkhole address.
tab and click
and enter an IPv6 address
and subnet mask. In this example, enter fd97:3dec:4d27:e37c::/64
as the IPv6 sinkhole address.
Edit the security policy rule that allows traffic from
client hosts in the trust zone to the untrust zone to include the
sinkhole zone as a destination and attach the Anti-Spyware profile.
Editing the Security policy rule(s) that allows traffic
from client hosts in the trust zone to the untrust zone ensures
that you are identifying traffic from infected hosts. By adding
the sinkhole zone as a destination on the rule, you enable infected
clients to send bogus DNS queries to the DNS sinkhole.
Select an existing rule that allows traffic from the
client host zone to the untrust zone.
Sinkhole zone. This allows client host traffic to flow to the sinkhole zone.
Log at Session Start
check box to enable
logging. This will ensure that traffic from client hosts in the
Trust zone will be logged when accessing the Untrust or Sinkhole
profile in which
you enabled DNS sinkholing.
to save the Security
policy rule and then
To confirm that you will be able to identify infected
hosts, verify that traffic going from the client host in the Trust
zone to the new Sinkhole zone is being logged.
In this example, the infected client host is 192.168.2.10
and the Sinkhole IPv4 address is 10.15.0.20.
From a client host in the trust zone, open
a command prompt and run the following command:
following example output shows the ping request to the DNS sinkhole
address at 10.15.0.2 and the result, which is
because in this example the sinkhole IP address is
not assigned to a physical host:
Pinging 10.15.0.20 with 32 bytes of data:
Request timed out.
Request timed out.
Ping statistics for 10.15.0.20:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)
On the firewall, select
the log entry with the Source 192.168.2.10 and Destination 10.15.0.20.
This will confirm that the traffic to the sinkhole IP address is
traversing the firewall zones.
You can search and/or filter the logs
and only show logs with the destination 10.15.0.20. To do this,
click the IP address (10.15.0.20) in the
which will add the filter (addr.dst in 10.15.0.20) to the search
field. Click the Apply Filter icon to the right of the search field
to apply the filter.
Test that DNS sinkholing is configured properly.
You are simulating the action that an infected client host
would perform when a malicious application attempts to call home.
Find a malicious domain that is included
in the firewall’s current Antivirus signature database to test sinkholing.
section click the
link for the currently installed antivirus database.
You can also find the antivirus release notes that list the incremental
signature updates under Dynamic Updates on the Palo Alto Networks
In the second column of the release note, locate a line item
with a domain extension (for example, .com, .edu, or .net). The
left column will display the domain name. For example, Antivirus
release 1117-1560, includes an item in the left column named "tbsbana"
and the right column lists "net".
The following shows the
content in the release note for this line item:
From the client host, open a command prompt.
Perform an NSLOOKUP to a URL that you identified as
a known malicious domain.
the output, note that the NSLOOKUP to the malicious domain has been
forged using the sinkhole IP addresses that we configured (10.15.0.20).
Because the domain matched a malicious DNS signature, the sinkhole
action was performed.
locate the corresponding threat log entry to verify that the correct
action was taken on the NSLOOKUP request.
Perform a ping to
which will generate network traffic to the sinkhole address.